PCI compliance not synonymous with security, panel says

A panel held during the annual NRF conference discussed ways that retailers could bolster security.

None of the companies in a soon-to-be released Verizon report that experienced a data breach “were fully PCI [Payment Card Industry Data Security Standard] compliant at the time of breach,” according to Roldophe Simonetti, managing director of compliance consulting at Verizon Enterprise Solutions, who participated in a company-hosted Jan. 12 evening panel discussion on securing mobile and online retail payments.

In a preview of Verizon’s “2015 PCI Compliance Report,” Simonetti told SCMagazine.com in a phone interview that only “28.6 percent of companies were PCI compliant after one year,” indicating that many organizations “are seeing compliance as a standalone exercise.”

PCI 3.0 was released in November 2013 and all organizations were required to start using it Jan. 1 of this year.

Just as some public schools put tremendous effort into teaching to standardized tests, many companies train their focus on “being ready for an assessment but not applying it to day to day” operations, said Simonetti. “Compliance is an ongoing process.”

The report, due out in February, is based on data collected over the last five years from more than 5,000 assessments of Fortune 500 companies in more than 30 countries, tapping the knowledge of more than 100 consultants.

Even for those companies that are PCI-compliant, Simonetti and Verizon Vice President of Retail & Hospitality Michele Dupre, who moderated the panel, warned against being lulled into a false sense of security. Many believe “compliance means security and it does not,” said Dupre.

While compliance can indeed be an effective tool to strengthen security — helping organizations find and “close important security gaps” — alone it is not enough to protect companies against breaches,” Simonetti explained.

To better safeguard themselves, Simonetti recommended that companies maintain compliance, looking at “how they fell out of compliance and when” as well as “leverage compliance to enforce security” and their business.

He also urged retailers to aggressively patch their systems. Those that do, log “successes in protecting themselves,” said Simonetti. Keeping up with patching “is really, really significant.”

The panel, held during the National Retail Federation “Retail’s Big Show 2015” also included Greg Buzek, founder and president of IHL Group, and Marianne, EVP and global head of products and innovation at Elavon, in a wide-ranging discussion that covered the EMV mandate — including where retailers should be by October 2015 and the security challenges they face.